2

Well, this is the situation I am experiencing:

I've got a dedicated server from OVH, and a dedicated server from another company, since the maximum RAM for the OVH server (GAME category) is 64Gb of RAM, and I need more, I'd like to make a GRE tunnel (or a NAT tunnel? I guess? I don't know I saw that on another site) in order to use IPs that actually are assigned to my OVH server on the other dedicated server so that I can virtualize it with those IPs, to be clear:

I've got Server 1 which is DDoS protected, and Server 2 which isn't protected at all.

The mission is: Make DDoS protected VPSes on Server 2.

In order to do that I need to use IPs that are allocated to Server 1, which type of tunnel should I use in order to do that, and how (because even if you tell me the type of tunnel I'd be totally new at it I guess, so if you can please link a guide)?

Thanks in advance!

Regards.

Matthew
  • 53
  • 6

1 Answers1

1

If DDoS protection is implemented on devices in front of your server then you probably can use either GRE or IPIP tunnel if you have 2 linux boxes. IPIP tunnel will only work for Linux OS (while GRE is more inter-operable, ie with cisco), more importantly ipip tunnel is only suitable for unicast packets. Broadcast won't be sent over.

This is really dead simple given you have a recent kernel and iproute2 package installed. In order to create a tunnel you will need to create a virtual interface on both ends of the tunnel (server 1 and server 2). Something like bellow should work:

root@server1:~$ ip tunnel add tunnel0 mode gre remote server2_ip
root@server1:~$ ip link set dev tunnel0 up
root@server2:~$ ip tunnel add tunnel0 mode gre remote server1_ip
root@server2:~$ ip link set dev tunnel0 up

Then make sure server1 doesn't have the IP address you want to allocate to server2 configured and add a route on server1 to join server2 IP:

root@server1:~$ ip r a ovh_ip dev tunnel0

And add the IP to server2

root@server2:~$ ip a a ovh_ip/32 tunnel0

At this point server1 should be able to ping ovh_ip on server2.

You should then need to configure server1 as a router to make ovh_ip reachable from anywhere on internet. However with this simple configuration, be aware that routing on server2 is asymetric, packets coming in to ovh_ip will enter via interface test0 (so hoster2 routers will see a GRE packet), while response packets will be routed through server2 default gateway (hoster2 routers will see a regular IP packet). This can cause trouble with some firewalls or even with Linux rp_filter protection. Make sure it is not a problem. If it is a problem you will have to make routing symetric by adding for additionnal source NAT when packets goes through tunnel0 at server1.

I hope it helps

alxgomz
  • 1,600
  • 1
  • 10
  • 14
  • How could I make it symetric by using NAT? I mean, which configuration should I use. – Matthew Feb 24 '17 at 14:59
  • I am getting this error on Server2: Error: either "local" is duplicate, or "tunnel0" is a garbage. – Matthew Feb 24 '17 at 15:50
  • Am I supposed to guess the command production this error? – alxgomz Feb 25 '17 at 19:26
  • Honestly if you don't understand NAT I am not sure you should use this kind of setup. That will probably be quite hard to maintain for you. Having said that, the idea behind using NAT is to masquerade traffic outgoing from server1 to server2 through tunnel0 – alxgomz Feb 25 '17 at 19:28
  • OH sorry I forgot to mention the command, this is the command that generated that error: `ip a a ovh_ip/32 tunnel0` I then used this command: `ip a a ovh_ip/32 dev tunnel0` and it worked, but anyway, I wasn't able to create a VPS by using OVH network configuration even after making the tunnel on the second dedicated server. – Matthew Feb 27 '17 at 18:48